JPH05224604A - Method and apparatus for forming official and private key pair by using pass phrase - Google Patents

Abstract

PURPOSE: To make a user port public and private keys from a certain cipher system to another cipher system and improve security protection, by generating a pair of the public key and the private key from a path phrase first. CONSTITUTION: This device is provided with a cipher facility 30, a cipher key data set 32, a ciphering mechanism access program 24 and an application program 36. Then, the first pair of the public key and the private key is generated by using a first seed value known to the user and a first control vector for defining the first private use of the first pair of the public key and the private key is generated. Then, the second pair of the public key and the private key is generated by using a second seed value known to the user and a second control vector for defining the second private use of the second pair of the public key and the private key is generated. Then, the private use of the first pair of the public key and the private key is controlled by using the first control vector and the private use of the second pair of the public key and the private key is controlled by using the second control vector.

Description

Detailed Description of the Invention

[0001]

FIELD OF THE INVENTION This invention relates generally to data processing systems and methods, and more particularly to cryptographic systems and methods for use in data processing systems to enhance security.

[0002]

BACKGROUND OF THE INVENTION The following patents and co-pending patent specifications are hereby incorporated by reference in connection with the present invention.

B. Brachtl et al., "Controlled Use of Cryptographic Keys Via Generation Station Setting Control Values" USP 4,8
50,017 (July 18, 1989, assignee IBM
Corporation) SM Matyas et al. "Key Security Management Using Control Vectors" USP 4,941,176 (July 10, 1990, Assignee IBM Corporation) SM Matyas et al. "Data Cryptographic Operation Using Control Vectors" USP 4,918,728 (April 17, 1990)
JP, Assignee IBM Corporation) SM Matyas et al., "Personal Identification Number Processing Using Control Vectors" USP 4,924,514 (May 8, 1990)
Japan, Assignee IBM Corporation) SM Matyas, et al. “Key Security Management Using Extended Control Keys” USP 4,924,515 (May 8, 1990, Assignee IBM Corporation) SM Matyas, et al. Security Key Management Using "USP 4,993,069 (2991 1991)
Assignee IBM Corporation) SM Matyas et al., "Secure Key Management With Programmable Control Vector Checks" USP 5,007,08
9 (Assignee IBM Corporatio, April 9, 1991)
n) B. Brachtl et al., "Data authentication using modified detection code based on public one-way encryption function" USP 4,908,86
1 (3 March 1990, assignee IBM Corporatio
n) D. Abraham et al., "Smart Card with External Programmability and Method of Making It," Application No. 004,501
(Filed January 19, 1987, assignee IBM Co
rporation) SM Matyas et al., "Method for compressing RSA cryptographic variable storage device" USP 4,736,423 (April 5, 1988)
Japan, assignee IBM Corporation) S. Schulz's "Random Number Generator Circuit" USP 4,905,1
76 (February 27, 1990, assignee IBM Corpor
ation) SM Matyas et al., “Key Security Management Using Control Vectors With Multi-Pass Checking”, Application No. 07 / 596,6
37 (October 12, 1990 file, assignee IB
M Corporation) SM Matyas et al., "Secure cryptographic operations using alternative modes of control vector implementation," Application No. 07 / 574,012.
(File August 22, 1990, assignee IBM Co
rporation) SM Matyas et al. "Method and apparatus for controlling the use of public keys based on import integrity level for keys"
Application No. 07 / 602,989 (October 24, 1990)
J. File, Assignee IBM Corporation) SM Matyas et al., "Hybrid public key algorithm / data encryption algorithm key distribution method based on control vector" Application No. 07 / 748,407 (August 1991)
File on 22nd of March, Assignee IBM Corporation) "Public key cryptosystem key management based on control vector" by SM Matyas, etc.
The IBM Corporation) The cipher suite described in the cited SM Matyas et al. Patent is based on the association of a cryptographic key with a control vector that provides authentication for the intended use of the key by the creator of the key. The encryption system described in the cited patent by SM Matyas et al. Is a data encryption algorithm (DEA) (US standard × 3.92-1981, data encryption algorithm, American National Standards Institute, New York (December 3, 1981).
1 day))), while the present invention uses DEA
Etc. based on both secret key and public key algorithms. In accordance with the present invention, various key management functions, data encryption functions, and other data processing functions are possible using control vectors. By choosing the appropriate control vector in accordance with the present invention, the system administrator can be flexible in implementing its security policy. Cryptographic Facility (CF) in Cryptography is SM Matyas quoted earlier
Etc. in the patent. The CF is an instruction processing device for a set of cryptographic instructions and executes an encryption method and a key generation method. A storage device in the cryptographic facility stores a set of internal cryptographic variables. Each cryptographic instruction is described in terms of the sequence of processing steps required to transform a set of input parameters into a set of output parameters. Cryptographic Facility Application Program (CFAP)
It is also mentioned in the referenced patents and application, which defines the calling method (as a calling order) for each cryptographic instruction consisting of an instruction abbreviation and address along with corresponding input and output parameters.

The public key encryption algorithm is W. Diffie,
MEHellman Co-authored “Privacy and Authentication: An Introduction to Cr
yptography ”” Institute of Electrical and Electronics Engineers (IEEE), 67
Volume 3, March 1979, pp. 397-427. Public key systems are based on the fact that a confidential distributed channel will be without it as long as it has a sufficient integrity level. In the public key cryptosystem,
Two keys are used, one for encryption and the other one
Is for decoding. The public key algorithm is (1) easy to generate a random pair of Inverseki PU (for encryption) and PR (for decryption), and (2) easy to calculate by PU and PR, but (3 ) Computing PR from PU is designed to be computationally infeasible. The user keeps the decryption transformation PR confidential and the encryption transformation PU
Make it public by putting it in a public dictionary. Anyone can encrypt a message and send it to the user, but no one else can decrypt the message intended for him. It can be encrypted with PU and decrypted with PR, which is often desired. For this reason, PUs are commonly called public keys and PRs are commonly called private keys. A feature of public key cryptosystems is that they provide a digital signature that uniquely identifies the sender of a message. If user A wishes to send a signed message M to user B, he operates on it with his private key PR to create a signed message S. PR is A when confidentiality is desirable
Used as his decryption key, but here as his "encryption" key. When user B receives message S, he can manipulate ciphertext S with A's public PU to recover message M. By successively decoding A's message, recipient B gains confirmation that it came from sender A. Examples of public key cryptography are the following US patents: Hellman et al. USP 4,218,582 "Public key cryptographic apparatus and method", Hellman et al. USP 4,2.
00,770 “Cryptographic apparatus and method”, Rivest et al., US
P.4,405,829 "Cryptographic Communication Systems and Methods".

In most cryptographic systems, once the cryptographic key is generated, it can be stored in the cryptographic key data set in encrypted form, or encrypted from the generator to the receiver. It can also be transmitted and re-encrypted there in a form suitable for storage and use at the receiving device. The key is ported from one device to another by writing the key to a suitable medium (eg diskette, magnetic tape, memory card, smart card) and transporting the medium or by electronically transmitting the key. It However, the key being transported or transmitted is a secret key, such as a secret key used with a symmetric key encryption algorithm (eg, a data encryption algorithm), or a public and private key pair used with an asymmetric key encryption algorithm. When it's a private key,
There is always the danger that the key may be intercepted by the enemy. One way to securely transport or transmit secret or private keys is to encrypt them with a shared key between the sending device and the receiving device. However, if the sending, receiving device does not share a key that would facilitate such a secure encrypted channel, or the sending, receiving device sets up such a keying relationship to facilitate such a secure channel. May be inconvenient or impossible. Therefore, the only convenient way to port a secret key from one device to another is often to port the clear key.

[0006]

OBJECTS OF THE INVENTION It is an object of the present invention to provide an improved method for a user to port public and private keys from one cryptosystem to another.

Another object of the present invention is to allow a user to use public and private keys from one cryptographic system to another without requiring a separate storage medium such as a diskette, magnetic tape, memory card, or smart card. Is to be able to port.

Yet another object of the present invention is to generate a user's public and private keys, which can be used while the user is actually using the cryptographic device, and who is not using the cryptographic device. Is to be able to purge the key from the cryptographic device.

Yet another object of the present invention is to initialize a user's public and private keys within a portable computer having cryptographic capabilities during the period when the user requires cryptographic services, and when no cryptographic system is required. Is to purge the key from the portable computer.

Yet another object of the present invention is a method by which a user's public and private key pairs can be generated or regenerated on any cryptographic device in a cryptographic device network solely from what the user remembers, such as a passphrase. To provide.

Yet another object of the present invention is to ensure that the number of passphrase combinations is greater than 2 to the power of 128, yet the passphrase is sufficiently redundant for the user to easily store it. To provide a method for constructing a passphrase.

Yet another object of the present invention is to generate and regenerate public and private key pairs from an input passphrase, where the key generation algorithm is based on the Rivest-Shamir-Adelman (RSA) public key encryption algorithm. To provide the method.

Yet another object of the present invention is to provide a method for generating and regenerating public and private key pairs from an input passphrase, where the key generation algorithm is based on any public key cryptographic algorithm. It is in.

Yet another object of the present invention is to provide a key management system that allows a key generation algorithm to create a public key and private key pair of a first type that is not passphrase based and a second type that is passphrase based. Especially.

Another object of the present invention is to provide a first type of public and private key pair that is not based on a passphrase, the first
Key usage is based on the first set of allowed key usages, and the second type of public and private key pairs based on passphrases is allowed the first key usage. It is to provide a key management system that is based on a second set of key usages.

Another object of the present invention is that the public and private keys generated from the passphrase can be cryptographically separated from the public and private keys not generated from the passphrase, and thus from the passphrase. It is an object of the present invention to provide a key management system in which the generated public key and private key cannot weaken the overall security of a cryptographic system that uses both types of generated public key and private key. SUMMARY OF THE INVENTION The above and other objects, features and advantages are achieved by the present invention disclosed herein. The present invention provides an alternative means of porting a secret or public key from one device to another in a network of cryptographic devices. The present invention also provides a means for the user of the cryptographic device to purge its secret key while not actually using the cryptographic device, and to regenerate the secret key while actually using the cryptographic device. provide. This is accomplished by first generating the public and private key pairs from the passphrase provided by the user to the key generation algorithm. Each time thereafter the same key pair needs to be regenerated, the user enters the same passphrase, from which the key generation algorithm derives the same public and private keypair. Such a procedure is used by a single user who owns a portable programmable computer (PC) with cryptographic capabilities. The key is purged from the system while the user is on the move.
The key is regenerated while the user is using the cryptosystem. The concept of the passphrase is similar to that of the password, except that the passphrase may be as long as 80 characters or more.
Although the passphrase can contain more characters, it can contain more variability than a password, but it is easy for the user to remember the passphrase.

FIG. 1 generates a public and private key when the device is in use and purges the key when not in use 2
Cryptographic system A shared by two users i, j
2 is a block diagram of FIG. Here, referring to FIG. 1, at time t1, the first user (user i) inputs his own passphrase and calls the key generation function so that his public key and private keys PUi, PRi are encrypted system A. To be regenerated. From time t0 to time t
Up to 1, user i actually uses the encryption key. Time t
1, the user i calls the key purge function to purge the public key and the private keys PUi, PR1. Time t2
Then, the second user (user j) inputs his own password and calls the key generation function, so that his public key and private keys PUj, PRj are regenerated in the cryptosystem A. From time t2 to time t3, the user j actually uses his own encryption key. At time t3,
User j calls the key purge function to purge his public key and private keys PUj, PRj. The key purging function described here is purging both public and private keys. In reality, purging only private keys may be sufficient.

FIG. 2 is shared by a single user i who generates his public and private key pair when a single user i wants to use a device and purges his key when he finishes using the device. 3 is a block diagram of cryptographic systems A and B. FIG. Referring now to FIG. 2, time t
At 0, user i inputs his passphrase and calls the key generation function so that his public key and private keys PUi, PRi are regenerated in the cryptosystem A. From time t0 to time t1, user i actually uses the encryption key. At time t1, user i purges his public and private keys PUi, PRi by invoking the key purge function. From time t1 to time t2, the user is from cryptosystem A to cryptosystem B.
Move to. At time t2, the user i inputs his passphrase and calls the key generation function so that his public key and private keys PUi, RVi are regenerated in the cryptosystem B. From time t2 to time t3, the user i actually uses the encryption key. Time t3
Then, the user i purges the public key and the private keys PUi, RVi by calling the key purge function.

A passphrase consists of words or phrases taken in natural language, for example English. "Time is like the wind,
Examples of passphrases are "fruits fly like bananas", "Don't worry, nothing bad happens", "My father bought a dog for my brother, and my brother is still a child." But not).

Since the passphrase is a sequence of meaningful words, the user can remember and remember the passphrase, even if the passphrase contains more than 80 characters (including spaces). For this reason, the number of passphrase combinations can easily exceed 2 to the power of 128 (ie, greater than or equal to the number of double DEA key combinations). The user is also provided with a set of instructions or guidelines for creating the passphrase. This prevents the user from inadvertently using a passphrase that an enemy can easily guess. For example, even if the passphrase "Mary has a lamb ..." is long, if the first two words are known, the rest will be known. It is easy to understand that the enemy cannot guess passphrases such as "Donald Duck, Jack Benney, and Alfred the Great playing chess while eating a golf ball." During key generation, a passphrase is used as a seed value for generating a required random number used by the key generation algorithm in the process of generating a key. The key generation algorithm does not use any random number other than the one generated from the passphrase. Since the generated public key and private key pair (PU, PR) depend only on the passphrase, any cryptographic device in the cryptographic device network that executes the same key generation algorithm (PU, PR,
PR) can be regenerated. This may be the case if the network is made up of cryptographic equipment purchased from a single vendor, or if the key generation methods are standardized and run on several products from different vendors. This is the case.

[0021]

BEST MODE FOR CARRYING OUT THE INVENTION The concept of generating a key from a character string provided by a user of a cryptosystem has been implemented in the IBM Information Protection System (IPS).
User Guide, Order No. SH20-262
1, IBM Corporation (August 1982)
Please refer to the Information Protection System Cryptographic Program of (Mon). This information protection system is a file protection system designed based on the concept that a user of the encryption system controls and manages a key used for encrypting and decrypting a data file. There is no key for the system itself. When the data needs to be encrypted or decrypted, the user must provide the key to the cryptographic system. The user may specify either a hexadecimal digit key or a character string of up to 80 characters. When a character string is input, IPS sets the input character string to 5 by the following method.
Do a "crunch" (hash) on a 6-bit key. The input character string is padded on the right with blanks to a length of 80 characters. The input string is then divided into blocks of 8 characters. The value of the resulting embedded data is X "010101.
It is encrypted with DEA using the cipher block chaining (CBC) mode with a constant key of "0101010101" and an initial tuning value whose value is X "0000000000000000". The rightmost 56 bits of the ciphertext in the final 64-bit block are taken as the "crunch" data key (no parity bit).

The method of creating a data key from a character string in an information protection system does not extend to the creation of public and private key pairs. This is because the public key generation algorithm is more complicated. To generate public and private key pairs from a user-provided passphrase, the key generation algorithm itself must be modified and a dynamically seeded pseudo-random number generator must be used. A dynamically seeded pseudorandom number generator is an algorithmic procedure that generates a pseudorandom number from a seed value defined as an input to the generator. Such pseudo-random number generators are not suitable for generating most random numbers in cryptosystems. This is because the caller of the random number generator often does not have or does not have a seed value that can be defined as an input. Therefore, in practice, most cryptographic systems have no convenient way to use a dynamically seeded pseudo-random number generator. Instead, these cryptographic systems use an initially seeded pseudo-random number generator or special hardware that can generate true random numbers. Wherever it would be advantageous to implement the method of the present invention, a cryptographic system would need to implement the following two random number generators:
(1) is an initially seeded pseudo random number generator or a true random number hardware generator, and (2) is a dynamically seeded pseudo random number generator. It would also be necessary to employ a key generation algorithm design that allows public and private keys to be generated utilizing a dynamically seeded pseudo-random number generator. These aspects of the invention are described in detail below.

USP 4,736,423 cited above
"RSA Cryptographic Variable Storage" describes a method for computing a 50-bit non-secret value Y from a 56-bit secret value X to regenerate public and private keys with a 400-bit modulus and a 400-bit exponent. You can always use it to do so. For larger exponents and modulus lengths, the length of y increases only slightly while X remains constant at 56 bits. The secret key value X is given as an input to the key generation algorithm and, in addition to calculating the public and private keys PU, PR, also calculates the 50-bit value of y. The value y can be regenerated very quickly with X as well as the public and private RSA keys PU, PR compared to the time it took initially to generate PU, PR. Is special. This approach is a compromise between the two: storing the PU, PR (ie the total exponent and the modulus) on the one hand and regenerating the PU, PR on the other hand each time they are needed. USP 4,736,423
The technique reduces the number of bits that must be stored instead of requiring a short computational step to regenerate the key. In the present invention, the public key and the private key are all generated from the passphrase stored by the user. USP4
The number Y is a 50-bit dependent variable, as opposed to the method of 736,423, which utilizes a 56-bit independent variable X that is theoretically obtained by hashing the input passphrase. That is, in order to port the public and private keys, the user must port the dependent variable y and also enter it with the independent variable X so that the cryptosystem regenerates the public and private key pairs.
Although USP 4,736,423 has some of the advantages of the present invention, the present invention allows keys to be transported from one device to another independently of additional information other than passphrases. .. Therefore, according to the present invention, UPS 4,736,4
It enables a form of keyport that cannot be achieved by the method of 23.

As an explanation of the environment of the present invention disclosed here,
3 is a network block diagram showing the communication network 10, to which a large number of data processing devices including a data processing device 20, a data processing device 20 ', and a data processing device 20 "are connected. Thus, each data processing device also includes a cryptographic system, the data processing device 20 including a cryptographic system 22.
Reference numeral 0'includes a cryptographic system 22 ', and the data processing device 2
0 ″ includes the cryptographic system 22 ″. Each data processing device supports a processing procedure of a plurality of applications which requires access to a cryptographic service for encryption, decryption, authentication, generation of an encryption key, introduction, etc. of application data. Cryptographic services are provided by the secure cryptographic mechanism of each cryptographic system. The network provides a means for sending and receiving data and keys encrypted by the data processing device. Various protocols, that is, formats and procedural rules, govern the exchange of cryptographic amounts between communication data processing devices to ensure interoperability.

FIG. 4 illustrates a cryptographic system 22 of the invention disclosed herein. In the cryptographic system 22, the cryptographic mechanism (CF) 30 has an input 37 from a physical interface. Cryptographic mechanism access program (CFA
P) 34 is coupled to the encryption mechanism 30 by the interface 31. The encryption key data set (CKDS) 32 is connected to the encryption mechanism access program 34 by the interface 33. Application program (A
The PPL) 36 is connected to the encryption mechanism access program 34 by the interface 35.

A typical cryptographic service request is an APP through a function call to CFAP 34 at interface 35.
Start with L36. The service request includes the key and data parameter, and the key identifier used by the CFAP 34 to access the encrypted key from the CKD 32 of the interface 33. The CFAP 34 processes the service request by issuing a plurality of cryptographic access commands to the CF 30 of the interface 31. The CF 30 may also have an optional physical interface 37 for direct entry of cryptographic variables into the CF 30. CF
Each cryptographic access instruction called by CF 31 has a set of input parameters processed by CF 30 to create a set of output parameters returned by 30 to CFAP 34. CFAP34 is replaced by A
Output parameters can also be returned to PPL 36. The CFAP 34 can also use output and input parameters in subsequent call instructions. If the output parameters include encrypted keys, then CFAP 34 may often store these encrypted keys in CKDS 32.

FIG. 5 illustrates the inventive encryption mechanism 30 disclosed herein. The encryption mechanism 30 has a security range 140.
Be protected within. The encryption mechanism 30 includes an instruction processing device 14
2 is included, and the cryptographic algorithm 144 embodied as the execution code is coupled to this. Cryptographic environment storage 146 is coupled to instruction processor 142. The physical interface may be coupled to CF environment storage 146 via line 37 as shown. Instruction processing device 1
42 is coupled to the cryptographic mechanism access program (CFAP) 34 by the interface 31.

The instruction processing unit 142 has an interface 31.
Is a functional element that executes the cryptographic microinstruction called by the CFAP access instruction. For each access instruction, the interface 31 first defines an instruction mnemonic or operation code used to select a special micro instruction for execution. Second, the set of input parameters is CFAP34
To CF30. Third, the set of output parameters is returned by CF 30 to CFAP 34.
The instruction processing unit 142 is a cryptographic micro instruction storage unit 144.
Execute the selected instruction by implementing the specified order of instructions of the cryptographic processing step embodied as microinstructions stored in. The control flow and the subsequent output of the cryptographic processing step are determined by the values of the input parameters and the contents of the CF environment storage 146. CF environment storage device 146
Is, for example, a set of cryptographic variables that are collectively stored in the CF 30, such as keys, flags, counters, CF configuration data, and the like. The CF environment variables in the storage device 146 are initialized through the interface 31, which reads the input parameters and uses the CF environment storage device 14
By the execution of some CF microinstruction, which loads 6
Alternatively, initialization can be done through an optional physical interface, which can load the cryptographic variables directly into the CF environment storage, such as through an attached key input device.

The physical embodiment of the cryptographic mechanism security scope 140 has the following physical security features: The physical embodiment resists probing by insider advisory with limited access to the cryptographic mechanism 30. The term "restricted" is measured in minutes and hours rather than days, weeks. An adversary (enemy) is limited to a probing attack at a customer's location with limited electronic equipment, unlike a pilot attack that is launched in the controlled area of the adversary using sophisticated electronic and mechanical equipment. The physical embodiment also uses various electromechanical sensing devices to detect physical probing or intrusion attempts. The physical embodiment of the encryption mechanism 30 also provides for zeroing of all internally stored secret cryptographic variables. This zeroing is done automatically if attempted brobbing or intrusion may be detected.
The physical embodiment also provides a manual function for zeroing internally stored secret cryptographic variables. Reference is made to the above-cited Abraham et al. Patent application for examples of how these physical security features can be implemented.

Key Generation Process: FIG. 6 shows the cryptographic algorithm 1 included in the encryption mechanism 30 of the present invention disclosed herein.
It is a block diagram explaining 44. Referring to FIG. 6, the cryptographic algorithm 144 includes a cryptographic algorithm 150 for performing encryption and decryption operations, a key generation algorithm (KGA) 151 for key generation, and a random number generation algorithm 152 for random number generation. For the time being, we will not distinguish between random numbers and pseudo-random numbers. That is, the random number generation algorithm 152 may be a true random number generator or an algorithm that creates a pseudo random number. Random number generators and pseudo-random number generators are discussed below. Cryptographic algorithm 15
0 is a data encryption algorithm (American standard X3.9
2-1981, data encryption algorithm, American National Standards Institute, New York (December 31, 1981)) or the like, asymmetrical such as RSA algorithm, or public key or algorithm. . For public key algorithms, there may or may not be a difference between the mathematical operations of encryption and decryption. For example, in the RSA algorithm, both encryption and decryption are executed as exponentiation modulo. The cryptographic algorithm 150 is accessed by the instruction processing device 142 through the interface 153, and this interface 153 is used by the instruction processing device 1
42 to perform the basic operations of encryption and decryption. At the same time, the interface 153 has keys, data, and other cryptographic variables as the cryptographic algorithm 150 and the instruction processing unit 142.
I am trying to pass between In a similar manner, the key generation algorithm 151 is accessed by the instruction processor 142 through the interface 154,
4 causes the instruction processing unit 142 to request key generation. Interface 154 allows keys, data, and other cryptographic variables to be simultaneously passed between each of the two components. The key generation algorithm is also accessed through the interface 155 to the random number generation algorithm. As a result, the key generation algorithm 151 requests and accepts a random number from the random number generation algorithm 152 necessary for the key generation process. The random number generation algorithm 152 also interfaces to the instruction processor 142 through the interface 156, causing the instruction processor 142 to request the generation of random numbers needed for cryptographic purposes other than key generation.

When the cryptographic algorithm 150 is a symmetric or public key cryptographic algorithm such as DEA, the key generation step by the key generation algorithm 151 is simple. In general, the process of generating with an n-bit key (assuming n = 64) consists of the following steps. 64
A bit random number RN is requested from the random number generation algorithm 152. In some cases, the RN may be taken directly as the key to be generated. However, in many cryptographic systems, key generation also involves adjusting each byte of the key for odd parity. In still other cases, the key generation algorithm may use a key value to ensure that the key value does not have some perceived undesirable property, eg, that the key is not a "runtime" or "semi-runtime" DEA key. May be tested. "Runtime" or "Semi-runtime"
Regarding DEA key standard, Meyer and Mat
Co-authored by yas, "Cryptography-A New Dimension of Computer Data Protection", John Wiley & Sons, New
See York, 1982. Adjusting key parity is a common practice in many cryptosystems, but in most cases this additional test is ignored.

When the cryptographic algorithm 150 is an object such as the RSA algorithm or a public key cryptographic algorithm,
More steps are included to generate a key with the key generation algorithm 151. In the public key cryptosystem, a public key and a private key pair (PU1, PR1),
(PU2, PR2) etc. are special key generation algorithms (K
Created with the help of GA). The KGA sometimes creates a random number that the KGA then uses to create the key.
Contains a combination of processes that are created or required by.
These random numbers may be tested and rejected, and other random numbers may be required and tested until certain mathematical properties are met. In yet another case, the KGA may take a random number, or a random value that is accepted after being tested against a mathematical property or properties, from which one or more other values may then be taken. Will derive. Generally, KGAs require some and more random components (ie, random numbers) in the creation of keys. Otherwise, the same public and private key pair could be generated each time the KGA is called. This seems to be randomly extracted from the space of possible keypairs, not of course allowed, or at least co-randomly, so the enemy guesses the keypairs created by KGA. Public key and private key pair (PU1, PR1), (PU
2, PR2) must be created by KGA. As mentioned above, in addition to utilizing random numbers in key generation, KGA makes use of mathematical processes, where values are other values (ie, use of constructive processes).
Calculated or derived from and calculate the value using a process of trial and error (ie test and reject trial values until the desired value is found). The preferred embodiment uses the seed value to initialize the pseudo-random number generator rather than using the seed value directly in the key generation algorithm. The reason is that the seed value necessarily has a certain finite length, which means that there is a non-zero probability that the key generation algorithm will need more random bits in the seed, whereas This is because the pseudo random number generator can generate pseudo random numbers of arbitrary length as much as the key generation algorithm requires. If it happens that the key generation algorithm requires more random bits than the seed, direct reuse of the seed value would not be allowed. The reason is that the key generation algorithm may not be able to find a value to the output that satisfies all the test criteria and may not be able to complete the calculation. This potential infinite repetition is avoided by guaranteeing the availability of any number of pseudo bits using a dynamically seeded pseudo random number generation algorithm.

FIG. 7 is a flowchart illustrating the key generation algorithm 151 when the cryptographic algorithm 150 is the RSA algorithm. The key generation algorithm 151 is a public key and private key pair PU = (e, n) and PR.
= (D, n) is created. Here, e and d are called public and private exponents (e and d are positive integers smaller than n), and n is a public modulus. Therefore, in the two-pack (d, n), only the private index d needs security. Referring to FIG. 7, a trial value of p is generated in step 161. At step 162, the value of p is tested for primality. The primality test method is described below. If p is a prime number, control proceeds to step 163. Otherwise control returns to step 161 (ie a new p is created). In step 163, a test is made to see if p is a "strong" prime number. A “strong” prime number is a prime number satisfying an additional criterion set that guarantees that the selected p does not allow mathematical analysis to “break” the cryptographic algorithm by factoring the modulus n into prime numbers p and q. This is a term used in this method to represent p. For a discussion of key generation and additional tests performed on p, q to ensure that p, q is strong enough to thwart cryptographic attacks, see Rivest, R. et al. L, Shamir, A .; , Ad
leman, L .; See "How to Obtain a Digital Signature and Public Key Sensitive System". Step 16
Additional tests performed on p at 3 include tests that p-1 has a large prime factor p'and p'-1 has a large prime factor p ". Another test suggested in the literature is that p + 1 has a large prime factor: if p is a "strong" prime, control proceeds to step 164, otherwise control returns to step 161. .. (Ie a new p is generated). At step 164, a trial value of q is generated. In step 165, the value of p is tested for primality. If p is a prime number, control proceeds to step 166, otherwise control is returned to step 164 (ie a new q is generated). Step 166 tests whether q is a "strong" prime number. Step 16
Additional tests performed on q at 6 include tests that q-1 has a large prime factor q'and q'-1 has a large prime factor q ". Suggestions from literature discussing RSA key generation. Another test to do is to test that q + 1 has a large prime factor, if q is a "strong" prime then control proceeds to step 167, otherwise control returns to step 164. (Ie a new q is generated). In step 167, the public modulus n is formed as the product of p and q. At step 168, the value r is (p
-1) and (q-1). In step 169, the public index e
Is determined as an input. If provided as an input, then control proceeds to step 172 where it is assumed that the given value e satisfies the conditions tested in step 171. As another example, control may flow to step 171 and the given value e may be checked by the key generation algorithm 151. If not provided as input, control proceeds to step 170 and step 17
Generate a trial value of e at 0. In step 171, a test is performed to confirm that e is relatively prime to r. This is easily done and the greatest common divisor of e and r (G
CD) is 1, that is, e and r do not have a common factor other than 1. If e and r are relatively prime to each other, then control proceeds to step 172, otherwise control returns to step 170. (Ie, a new e is generated). In step 172, the value d
Is calculated such that the product of e and d is congruent with 1 modulo r. In step 173, PU = (e, n) and PR =
The calculated value of (d, n) is returned as an output.

One suitable technique for testing large numbers for primality is described by R.M. Solovay, V .; Strassen
"Fast Monte Carlo test for primality" SIAM
Journal on Computing, 197
There is the use of the valid "probabilistic" algorithm described in March 1987, pages 84 and 85. There, the random number "a" is taken from the uniform distribution (1, 2, ..., X-1), and whether the greatest common divisor of "a" and X is 1, that is, GCD (a, X) = 1 Check whether the Jacobi symbol of "a" and X represented by J (a, X) is congruent with Q modulo X (where Q is (X-1) / of "a")
Equal to the power of 2). This is an integer (a1,
a, 2, etc., where each "a" in the set is less than X), tests X for primality. As shown in FIG. 7, when the RSA key is generated, the value X is set to the value p,
Note that we replace it with q. This test requires that both of the above conditions be held for each "a" value in the set. Therefore, if there is "a" in the set where both conditions are not held, it can be seen that X is a complex number. At other times, X is accepted as a prime number. This procedure does not guarantee that the selected number is prime, only that it has not failed the primality test. The larger the number of integers a (a1, a2, etc.) in the set, the greater the probability that the selected number is a prime number. However, it is, of course, assumed that both conditions are satisfied for each integer "a" in the set. The method of calculating the greatest common divisor of two integers, the least common multiple of two integers, and the Jacobian symbol of two integers is well known in the art.

For the RSA algorithm to achieve proper cryptographic protection, the modulus n is approximately 512 bits and 102.
Those skilled in the art are familiar with the need to be a number between 4 bits. In the above key generation algorithm, the public key exponent e can be specified in the key generation algorithm or can be generated by the key generation algorithm.
The advantage of defining e in the key generation algorithm is that a small value (e = 3, for example) can be specified. This improves performance when encrypted with a public key. Private index d
Is the dependent variable and must be derived. Therefore, in practice, d has the same size as the modulus. In this case, if the modulus is 512 bits, the public key PU has 514 bits to 1024 bits depending on the number of bits of the selected exponent e.
Bits, while the private key PR is 1024 bits. RSA keys are much larger than 64-bit or 128-bit DEA keys. Those skilled in the art will also recognize that the public key algorithm is a fairly computationally powerful procedure. Thousands, and possibly millions of DEAs in the time needed to generate a single public and private key pair
Can generate keys. Unlike fixed block size DEA, the RSA algorithm does not require a specific block size. Depending on the modulus length selected for that, RSA
Key generation can be a relatively short or a relatively long process. Key generation algorithm 1
In order for 51 to generate a public key and a private key of a desired size (that is, a specified number of bits), the generated p and q are generated.
Are multiplied together to produce a modulus n of the desired size or bit length, steps 161 and 164
And to design. Additional tests for p, q can be added to the flow chart of FIG. 7, which allows ISO Draft Int
Those skilled in the art will appreciate that key generation may be adapted according to specifications that may be specified in cryptographic standards such as internal Standard 9796, "Digital Signature Scheme with Message Recovery." Further, the RSA key generation algorithm described in FIG. 7 is more efficient if the creation of p and q is not a trial-and-error method but a process of combining trial-and-error and a method of configuring the value thereof. Will be recognized by those skilled in the art. generation of p, p-
Instead of the test that 1 has a big prime p'and the test that p'-1 has a big prime p ", we can start by generating a big prime p". In this case, find the prime number p'from p "by multiplying p" by a small number, add one, and then test the primaryity. If the resulting p'is not a prime number, the same process is repeated, except that p "is multiplied by another decimal number. The same technique can be used to find p to p. Similarly, using the same technique, q You can find q from ″.

Those skilled in the art will recognize that there can be many variations to RSA key generation. However, in any case, the key generation process requires a random number, which can be generated using a random number generator or a pseudo-random number generator. Returning to FIG. 7, trial values of p and q are randomly generated in steps 161 and 164. Once generated, the least significant (lowest or rightmost) bit is B
It can be set equal to "1", ensuring that the generated value is always an odd number. This speeds up processing because all prime numbers except the value 2 are odd. When p and q are generated from p ″ and q ″ as described above, the trial values of p ″ and q ″ are randomly generated. When the public index e is not given as an input to the key generation algorithm 151, a trial value of e is randomly generated. In this way it can be seen that in all cases RSA key generation requires the creation and use of random numbers.

Random Numbers and Pseudo Random Numbers: Most cryptographic systems require some means of creating and using random numbers. For example,
Random numbers are used as initialization vectors or initial chain values, such as when using the cipher block chaining mode of DEA encryption. For example, when using the encryption feedback mode of encryption by DEA, etc., a random number is “seed”.
Use as a value. Many crypto-based identification and authentication protocols use random numbers on an ad hoc basis. Without the ability to generate random numbers, most cryptographic systems would be severely constrained or unusable.

FIGS. 8 and 9 show two methods commonly used to generate random numbers in cryptographic systems. Figure 8 is "true"
3 is a block diagram of a random number generator 180. FIG. The “true” random number generator 180 includes hardware circuitry 181 and is capable of generating random numbers. Means for generating random numbers with such a hardware generator are well known and can be implemented by conventional techniques (USP 4,905,176, R. Schulz, supra).
See "Random Number Generator Circuit," issued February 27, 1990). Requests for random numbers are input through interface 182. The generated random numbers (RN1, RN2, etc.) are output through the interface 183. Actually, the length of the generated random number is a fixed constant of the algorithm, for example, 64 bits. A "true" random number generator has the property that its output value is unpredictable. That is, there should be no algorithm that predicts the output of the random number generator. "true"
The random number generator does not require a seed value for initialization, so there is no way to repeat the output of the generator. This property makes "true" random number generators very desirable for implementation in cryptographic systems. However, the cost of "true" random number generators is relatively high compared to pseudo-random number generators, so most commercial cryptographic systems use pseudo-random number generators.

FIG. 9 is a block diagram of an initially seeded pseudo random number generator 190. The seeded pseudo random number generator 190 has an algorithm 191 and a seed storage device 194 for storing a seed value used by the algorithm 191 for random number generation. (Note that the random numbers generated by the pseudo-random number generator only look random at first glance. To be more precise, the output generated by the pseudo-random number generator should be called pseudo-random numbers. We will also call these random numbers). The initial seed value is specified through interface 195. The initial seed value itself is entered into the cryptographic system through a utility program that interfaces with the cryptographic mechanism through one of the cryptographic instructions, or the installation personnel authorized using the entered password or physical key-operated switch. Input is through a special front panel interface that can only be operated. When using a pseudo-random number generator for key generation, all initial and subsequent seed values must be kept secret. Otherwise, the pseudo-random number generation algorithm is considered to be in the public domain, so the secrecy of the generated random numbers depends on keeping the seed value secret. When generating a random number, the seed value may be dynamically updated by the algorithm 191 depending on the nature of the algorithm 191. Some algorithms 191 also have separate storage, such as a counter or sequence number storage that is automatically updated during random number generation. In this case, the seed value is kept constant and only the counter number or the sequence number is updated. In the case of using a counter number or sequence number, an initial value is set by the algorithm 191 in the seed storage device 194 when the seed value is initialized through the interface 195. Random number requests are input through the interface 192. Generated random number (R
N1, RN2, etc.) are output through the interface 193. Actually, the length of the generated random number is a fixed value, for example, 64 bits. Pseudorandom number generators have the property that their outputs are completely predictable. The output of the pseudo-random number generator is a sequence of numerical values (RN1, RN2
Etc.). RN2 differs from RN1 only because the algorithm has a "memory", so to speak. That is, the algorithm is continuously updating itself, starting from different "starting" points each time the algorithm is invoked. However, if each case of the same algorithm 191 was initialized with the same seed value, the random numbers generated by each algorithm 191 would be exactly the same. It is a good cryptographic implementation that the initial seed value itself should be selected through a random process. In this way, the pseudo random number generators 190, which are initially seeded by different cryptographic devices, generate different random numbers.

FIG. 10 is a block diagram of a dynamically seeded pseudo random number generator 200. The dynamically seeded pseudo random number generator 200 has an algorithm 201 for random number generation. Random number requests are input through the interface 202. The generated random numbers (RN1, RN2, etc.) are output through the interface 203. Interface 20
The length of the random number (named RN) generated in 3 is equal to the value specified by the length parameter in the interface 202. Algorithm 201 does not have a seed value stored internally. Instead, the required seed value is specified to the algorithm 201 at the interface 202. This seed value must be visible to the caller, as it allows interleaving of requests by other callers while ensuring that the same seed will produce the same output. For convenience, the length parameter may be specified by the interface 202 in the algorithm 201 where the random number length from which the length value is generated is determined. In practice, the seed length is usually a fixed constant preset by algorithm 201. To illustrate the operation of the dynamically seeded pseudo random number generator 200, assume the following. (1) Parameter "length" is specified in bits, (2)
The bit length of the parameter "seed" is 128,
L is the length in bits of the desired random number (called RN). In that case, the value specified by the parameter "length" is 128.
+ L, that is, the length of the next seed plus the length of the desired random number.

In another embodiment, when the next seed is created automatically, the parameter "length" is therefore the desired random number RN.
Will specify the length of. In that case, there are two outputs at interface 203, the next seed and RN.
Either embodiment will work. In the first case, the dynamically seeded pseudo-random number generator 200 is unaware of how to create the next seed. Creation and management of the next seed value is under the control of the caller. In the second case, the dynamically seeded pseudo-random number generator 200 is responsible for calculating and returning the next seed value to the caller.

In yet another alternative embodiment, the initially seeded pseudo-random number generator algorithm and the dynamically seeded pseudo-random number generator algorithm are the same algorithm, with the same circuitry and / or Alternatively, a routine can be used. The initially seeded generator uses a system storage that is not accessible to normal users and has a system seed value, which is automatically updated as needed when the initially seeded algorithm is called. It The dynamically seeded generator also requires the caller to pass (and maintain) its seed value. It will be appreciated by those skilled in the art that many embodiments with minor modifications and variations to the above method are possible and that this difference will not affect the invention in any way.

In the present invention, the public key and private key pair (PU, PR) is generated from the secret passphrase as input by the user, and the key generation algorithm regenerates random numbers in the same order for its execution. Therefore, it is very important that the same key pair (PU, PR) can be regenerated each time the same passphrase is specified in the key generation algorithm. In contrast, all other cryptographic applications that require random numbers in a cryptographic system do not need to regenerate random numbers in the same order. In practice, it is sometimes said that the presence of such a capability in a cryptographic system could lead to the undesirable situation of keys being accidentally regenerated.

When the random number required by the key generation algorithm is generated by the method shown in FIGS. 8 and 9, it is impossible to generate a public key and a private key pair (PU, PR) from the passphrase and therefore the passphrase. Is. The “true” random number generator 180 of FIG. 8 cannot be used because there is no way to regenerate the same order of random numbers needed to satisfactorily regenerate the key pair (PU, PR).
Similarly, the seeded pseudo-random number generator 19 of FIG.
0 cannot be used because it does not have a method of regenerating random numbers in the same order. In practice, a pseudo-random number generator is usually initialized only once when the cryptosystem is powered up and connected to the line, or sometimes after a period of device power down. After that, simply request a random number. That is, there is no provision for dynamically respecifying the seed value.
In most cases the caller has no seed value in hand, so
It is best to perform the task of "seeding" the pseudo-random number generator only once, rather than requiring each caller of the pseudo-random number generator to enter his own "seed" value. In fact, it is important from a security point of view that ordinary users cannot specify a seed value for this type of pseudo-random number generator which is considered to be used by many system users.

From the above description, it is clear that the dynamically seeded pseudo-random number generator shown in FIG. 10 can satisfy the requirements of the present invention, but in most cryptographic systems it does not satisfy the general requirements of random number generation. Is. Similarly, from the above discussion, the “true” random number generator shown in FIG. 8 and the initially seeded pseudo-random number generator shown in FIG. 9 can satisfy the general requirements of random number generation in most cryptosystems, but the key generation algorithm Does not meet the requirement for random number generation when he has to regenerate the key from the passphrase. Therefore,
In the preferred embodiment of the invention, two means are required for random number generation as shown in FIG. Referring to FIG. 11, the cryptographic algorithm 144 components of the cryptographic mechanism previously illustrated in FIG. 6 are dynamically seeded pseudo-random number generator 2
00 and the key generation algorithm 151 and the dynamically seeded pseudo-random number generator 200 interface 204
Has been extended to include a random number, and a random number to be returned can be generated by a random number request. The dynamically seeded pseudo-random number generator 200 of FIG. 11 is assumed to operate in the same manner as the previously described dynamically seeded pseudo-random number generator 200 of FIG. That is, the random number request includes the designation of the length and the seed. The output is a random number. The key generation algorithm 151 is assumed to manage the seed value. For example, the first
The seed is calculated from the passphrase using the method described below. Whenever the key generation algorithm 151 requires a random number of length L, it specifies a L + 128 "length" parameter. That is, the next seed is automatically requested and stored in the next seed storage area accessible to the key generation algorithm 151 (for example, in the key generation algorithm 151). If the key generation algorithm of FIG. 11 is the RSA key generation algorithm itself of FIG. 7, steps 161, 164, 170 of FIG. 7 are dynamically seeded pseudo-random number generator 200 at interface 204 of FIG.
Will be a request for random numbers directed at. Therefore, each time step 161, 164 or 170 of FIG. 7 is repeated, a new random number is obtained. There is no way to know in advance how many trials will be required to find a satisfactory value, and since the process is trial and error, the order of random numbers cannot be calculated in advance and trials are performed each time it is necessary.

FIG. 12 is an example of a dynamically seeded pseudo random number generator that satisfies the requirements of the present invention. The algorithm requires 128 bits and divides this into a 64-bit key K and a 64-bit initial chain value ICV. Left side of seed 64
Bit becomes K and right 64 bits of seed becomes ICV. 64n, where m is the number of random bits generated
Let m represent a minimum value greater than m. Here, n represents the number of 64-bit blocks of ciphertext to be generated that are long enough to create an m-bit pseudo-random sequence. To generate the ciphertext, start with an n64 bit block of binary zeros and encrypt with the DEA algorithm using the cipher block chaining mode of DEA encryption. The key and the initial chain value are the above K and ICV itself. The output random number RN of length m is exactly the left (most important) m bits in the resulting ciphertext.

Key Generation Using Passphrase: FIG. 13
Illustrates a cryptographic system, the cryptographic mechanism (CF) 3
0, an encryption key data set (CKDS) 32, an encryption mechanism access program (CFAP) 34, and an application program (APPL) 36. Referring now to FIG. 13, public and private key pairs (P
U, PR) can be traced. 40
Application program A (APPL
A) 42 is called by the user. APPLA is (1) an application that requires the user to generate or regenerate their keys before the application connects to the process, or (2) allows the user to generate or regenerate those keys. It is assumed that it is a utility to do. APPLA prompts the user for a passphrase (referred to as PP) that the user inputs at 41. In response, APPLA A calls the key generation function 47 at 43. 43 is in the CFAP 34 and passes the mode parameter PP and control information.
The control information may be a control vector or information used to create the control vector. The mode parameter indicates to the key generation function whether the generated key is generated on a passphrase basis (mode = “PP”) or not (mode = “non-PP”). Therefore, the PP parameter is a selection parameter. The control information is handling control information that indicates the key type (ie, the type of public and private keys to generate) and the usage of the key in key management. In response, the key generation function 47 parses (1) the input parameters, (2) if mode = “PP”, calculates the 128-bit hash value CW from the input passphrase PP, processes the input control information, and GRVPR. An instruction processing unit 142 of the encryption mechanism 30 is created by calling a GPUPR instruction 52 and creating a control data parameter for which an instruction is designated.
Run with. 50 passes the mode parameter and, if mode = “PP”, the option codeword CW and control data. The control data includes a PU control vector that specifies key-related information related to the public key PU to be generated and a PR control vector that specifies key-related information related to the private key PR to be generated. Each control vector contains a key name that identifies the key within the cryptographic system. Each control vector simultaneously contains a label or a reserved space of a CKDS label to be initialized by the CF and can be used to store and retrieve key tokens from the cryptographic key data set (CKDS) 32. In response, the GPU instruction 52 calls the key generation algorithm KGA, passing the mode parameter as input and the codeword CW if mode = “PP”, as described in more detail in FIG. In response, KGA
Generates public and private keys PU and PR as detailed in FIG. 14, and returns to the GPUPR instruction 52. In response, the GPUPR instruction 52 returns the generated PU
Including the PU key token and P including the generated PR
Create an R key token. PU key token and PR
Key tokens are illustrated in FIG. 15 and are described in detail below. The GPUPR instruction performs a consistency check on modes and control data that are simultaneously input and passed at 50, as described in detail below. With the consistency check,
It is ascertained that the key type and the handling information of the control vector part of each key token match the mode, ie whether the key was generated from a passphrase. P
The U, PR key token is then returned to the key generation function 47 at 51. In response, the key generation function 47 updates the PU and PR key tokens if necessary. For example, CKDS
The reserved field of the token for label storage is filled at this point. The key generation function 47 then causes the key storage manager 46 to store one or two key tokens of the CKDS 32, 44 to return only the key name or label to APPLA A, or 44 to APPL A one. Or return two key tokens. The intent here is to have the APPL 42 manage and control the key token (if desired) or to let the cryptosystem manage and control the key token. Both approaches have advantages, and the key token is CKDS3
Whether stored in 2, or returned to APPL 42, the handling of the key token causes the cryptosystem to be under control of the input parameters specified by APPL A 42 to the key generation function 47 at 43. It is possible to design. In response, APPLA stores the key token if necessary, or as an input to other cryptographic functions performed by CFAP, the key name or label that the PU, PR key token can later respecify. APPLA now tells the user that the requested public and private keys were generated from the input passphrase. APPLA continues processing as needed until the processing is complete. Assuming that one or more of the generated key tokens are stored in CKDS32, A
PPL A calls the key purge function 48 at 45.
45 is in CFAP 34 and passes the key name or label of each key token to be purged. In response, the key purge function 48 sends a CK to the key store manager 46.
Delete each key token from DS32. If APP
If L A manages the key token, APPL A purges the key token instead of calling the key purge function 48. Although not shown in FIG. 13, it is assumed that the appropriate return and condition codes are available to each invoking entity, and thus the requested operation completed successfully, or an error requiring additional action. The calling entity has an indication as to whether or not has occurred. Key generation function 47 and GPUPR
Those skilled in the art will recognize that instruction 52 is designed to operate with two types of key generation: (1) P
When U and PR are generated from the passphrase (mode =
(PP)), (2) When PU and PR are not generated from the passphrase (mode = “non-PP”). That is, the design of the key generation function and the GPU instruction is based on what is considered a preferred embodiment of the present invention. The reason is that neither mode can perform both kinds of key generation, and each mode has its own distinct advantages in key management as just discussed.

Public key and private key pair (PU, P
When R) is generated, it is important to identify whether this key was generated from a passphrase.
Basically, the key generated from the passphrase is a key known to the user. If not known directly, this key can be calculated by the user and is therefore known to the user in a strict sense. This is because the algorithms used to calculate PU and PR are estimated to be in the public domain. That is, there is no basis for keeping confidentiality. The only sensitive element is the passphrase itself. Thus, anyone who knows the passphrase can know (or calculate) the key. However, when the public key and private key pair (PU, PR) is not generated from the passphrase, that is, the random elements or values included in the key generation process are either seeded with a true random number generator (Fig. 8) or initially seeded. When generated by the cryptographic mechanism using any of the pseudo-random number generators (FIG. 9), the key generated by the key generation algorithm is unknown or known to the user for all practical purposes. It is something that cannot be done. (In many cases, the key is encrypted under the master key, and the generated key is as sensitive as the master key. Anyone who knows the master key also knows the generated PU and PR. But don't worry because the PU is a public key.) In a "smart" key management design, both types of generated keys are available. The private key PR not generated from the passphrase can theoretically be known only by the cryptosystem itself. Thus, if done properly, these keys can be used for integrity system-level or confidential system-level implementation. This is something that cannot be achieved if PR is known to the user. On the other hand, there are many functions that are often used by PR known to users. For example, authenticate the user to a cryptographic system, or authenticate the user to other users, or authenticate the information as coming from that user (eg, the user calculates and attaches a digital signature to his message). PR) is used. The key management design may make use of this difference in the following ways. As part of the processing of the GPUPR instruction 52, there is the step of making a PU, PR key token.

FIG. 15 shows formats of the PU key token and the PR key token. Since the PU key is a public key, the PU key token has a clear or encrypted form eKM. PU may be stored in H1 (PU). KM. H1 is the CF environment storage device 1 of CF30
It is an exclusive logical product of the secret master key KM stored in 46 and the cryptographic variable H1, and H1 hashes C1 to create the intermediate hash value 1, and hashes 1 to create H1. Created from the control vector for the PU by fixing a few bits. eKM. H
The exact standard of 1 (PU) is S. M. Matyas
Et al. In co-pending patent application "Public Key Cryptography System Key Management Using Control Vectors". Since the PR key is a private key, the PR key token is in the encrypted form eKM. Store PR only in H2 (PR). eKM. The exact standard of H2 (PR) is the S.
M. It is described in the co-pending patent application "Key Management for Public Key Cryptography Systems Using Control Vectors" by Matyas et al. The encryption variables H1 and H2 for encrypting PU and PR are different. H1 is derived from the control vector C1 associated with the public key PU, and H2 is derived from the control vector C2 associated with the private key PR. Each of the PU and PR key tokens is a control vector C that is key-related data such as a key name or CKDS label and usage control information.
Also includes 1 and C2. The PU and PR key tokens also have the form eKM. H1 '(KAR), eKM. H2 '(KA
R) is included. However, CKAR is a key confirmation record, and H1 'and H2' are encryption variables related to H1 and H2. KAR is a clear or encryption key, i.e. PU, eKM. C (PU) or eKM. C (P
R) is a cryptographic function. eKM. H1 '(KAR) and eKM. The exact standard of H2 '(KAR) is described in S.
M. It is described in the co-pending patent application "Key Management for Public Key Cryptography Systems Using Control Vectors" by Matyas et al. The PU and PR key tokens also include a header portion having information for identifying the storage location and length of other fields in the key token. This allows the field to be of variable length.

FIG. 16 shows the additional standard of the control vector part of the PU and PR key tokens. Referring to FIG.
The control vector includes a control vector type field named CV type, which indicates whether the key is a public key or a private key, and the key is a user key, a key management key, a certification key, or an authentication key. The exact identification of the four key types (user, key management, certification, authentication) is not important to the invention. However, it is important to understand that different key types have different purposes and uses in key management design. For example, limiting type = “user”, the public user key can be used only to generate a digital signature. On the other hand, type = "key management" is more extensive, it is also possible to use a private key management key for the purpose of encryption and to distribute the DEA key from one cryptographic device to another cryptographic device, or a public key. It is also possible to have the management key generate a digital signature. For example, a public key, private key pair can be used between two cryptosystems to distribute the DEA key that encrypts the key. After that, the key that encrypts the key is used to distribute the DEA key among others between the two respective cryptosystems, eg, the data key. In this case, one would generally not use public or private user keys for this purpose. The reason is that in this case, the user knows his private user key, or in theory knows himself the user intercepts the encrypted key which encrypts the key (ie This is because it can be decrypted with the key for encrypting the key), or with my private key PR. In this way, the user can find the value of the clear key that encrypts the key, and most cryptographic systems will overcome the intended security of the key distribution protocol. Therefore, at the time the PU, PR key token 52 creates a PU, PR key token, the mode specified as input at 50 to ensure that the key type and usage of the generated key matches the intended key management design. , PU, P specified as input at 50 in FIG.
It is part of the invention that the GPUPR instruction must perform a consistency check on the R control vector (or equivalently the control data at 50 in FIG. 13). For example, if CFAP specifies mode = "PP" and the control data indicates type = "key management", then G
The PUPR instruction 52 detects this inconsistency, and the processing is stopped due to the inconsistency instruction for the key type.
Operation must be terminated by an instruction to. On the other hand, if CFAP specifies mode = "PP" and control data indicates type = "user", then GPUPR instruction 52 must not abort the operation due to a key type mismatch. Note that although not mentioned here, an additional consistency check may cause the GPUPR instruction to abort. Since it is important that the key generated in the key token is concatenated with the control information that specifies the key type and usage, in the preferred embodiment of the present invention, the PU key token of FIG. 15 has the encrypted form eKM. , H1 (PU) must store the PU. This is accomplished by substituting H1 into the control vector of the key token, as described above. H1
The exact method by which the is dependent on the control vector is not critical here, but is detailed in the above-referenced co-owned patent application by SM Matyas et al., "Key Management for Public Key Cryptography Systems Using Control Vectors." From the foregoing, it will be appreciated that the present invention provides a means for generating public and private key pairs from a user-supplied passphrase. However, in most cryptosystems, when the public key and the private key are generated in the cryptosystem in such a manner that the user does not have the ability to predict or determine the value of the private key PR as described above. , More secure design is possible. Thus, the present invention also provides a means of controlling both usage of the type of key generated, depending on whether the key pair is derived from a passphrase or not. Prior art (USP 4,941,176, 4,91
8,728, 4,924, 514, 4,924, 51
5, 5, 007, 089) describes means for controlling key type and key usage through control vectors. However, this prior art does not describe how to limit the type and usage of keys according to how the keys are generated. In contrast, the present invention distinguishes between public and private keys that are generated from a passphrase and those that are not generated from a passphrase, and the specified key type should or should be allowed. We have shown that this segment is important for key management as a means of determining in a key generation instruction (ie, GPUPR instruction) if it should not. Thus, the present invention provides a means to properly control the generation process, so that the generated key has a control vector information that specifies the type of key and how it is processed in the cryptographic system. It will be appropriately cryptographically linked. Without these means of controlling the generated keys, the benefits of passphrases and keys generated from passphrases appear to weaken the overall security of the cryptosystem, and the benefits of keys derived from passphrases are: It would seem like a drawback, not an advantage. Therefore, the present invention not only provides a means for generating a key from a passphrase, but also an essential means for controlling the generated key within the key management.

FIG. 14 is an illustration of the operations performed within CF 30 as a result of calling GPUPR instruction 52.
The GPUPR instruction 52 of FIG. 14 is exactly the same as the GPUPR instruction 52 of FIG. 13 except that FIG. 14 has the additional step of calling the key generation algorithm 152 and the dynamically seeded pseudo-random number generator 200. is there.
Referring to FIG. 14, the input at 50 consists of a mode, an optional command word (called CW), a PU control vector, and a PR control vector. In FIG. 13, the PU control vector and the PR control vector are simply called control vectors. In response to being called, the GPUPR instruction 52
Calls the key generation algorithm KGA 152 at 53 and passes the mode parameter and option CW. In response, the KGA 152 performs the steps of performing key generation. For example, if the encryption algorithm performed in the CF 30 is the RSA algorithm, then the key generation step is as shown in FIG. KGA
The first time 152 requests a random number, the value of CW is used as an initial seed, and the length of random number RN required to obtain the value of the parameter "length" is added to value 128 (this is the next seed). Will be the length of).

The KGA 152 then calls 55 the dynamically seeded pseudo-random number generator 200 and passes the "length" and seed = CW as input parameters. pls respond,
The dynamically seeded pseudo-random number generator 200 generates a random number of length equal to "length" from an input seed equal to CW. For example, the algorithm shown in FIG. 12 can be used as the dynamically seeded pseudo random number generator 200. The generated random number RN having a length equal to "length" is 56.
Return to KGA152. FIG. 14 shows the output at 56 as the next seed and RN. In practice, the generated random number RN is simply a concatenation of the next seed (128 bits in length) and RN (the desired random number of length minus 128 bits equal to "length"). Upon receiving the RN, the KGA 152 parses it to get the next seed and RN. If the KGA 152 determines that it needs to make another call to the dynamically seeded pseudo-random number generator 200, the next seed value is saved. Then RN
The value is used in the key generation process. Next time KGA152
When the request a random number, the next seed value is retrieved and used as a seed, and the length of the requested random run is added to the value 128 to obtain the value of the parameter "length". The process continues in this way. If the key generation algorithm uses the method of FIG. 7 to generate the RSA key, the KGA 152 calls the dynamically seeded pseudo-random number generator 200 upon entering steps 161, 164, 170 in FIG. There is a need. The lengths of the required random numbers RN1, RN2, etc. will depend on the desired length of the modulus and on the particular implementation of the KGA and the cryptosystem itself.

The present invention provides for all such environments, as well as the RSA algorithm, RSA key generation algorithm,
One of ordinary skill in the art will appreciate that it can be practiced in implementing the RSA cryptosystem. In addition, key generation by these other algorithms requires a random number or random value that may be generated by the dynamically seeded pseudo-random number generator 200 at some point in the process during which the steps involved in key generation are performed. Those skilled in the public key algorithm will appreciate that it is similar to the key generation of the RSA algorithm in that As such, the present invention is not limited to the creation of RSA keys only, and those skilled in the art will generally appreciate that the method of generating public and private keys from a passphrase extends to other public key algorithms as well. I will admit. After the KGA 152 completes the key generation process,
That is, after PU and PR are generated, PU and PR are GP
The UPR instruction 52 is returned at 54. In response, G
The PUPR instruction 52 constructs a PU key token and a PR key token with the mode and control vector provided as inputs at PU, PR and 50. Next, as already mentioned, the GPUPR instruction 52 performs a consistency check on the mode and control vector supplied as input at 50 to see if the key type and usage match the key generation method (ie passphrase). Or not based on a passphrase).
If it passes the consistency check, PU key token and PR
The key token is returned to CFAP (Key Generation Function) at 51. On the other hand, if the consistency check does not pass, GPUPR instruction 52 stops and PU key tokens and PR key tokens are not returned to CFAP at 51.

Passphrase Selection Process: We have described the method of the present invention for generating public and private key pairs (PU, PR) from a secret passphrase supplied as input by the user. The resulting private key P
R is completely dependent on the passphrase value you enter,
Since the key generation algorithm is assumed to be public knowledge, it is presumed that the security of the private key PR depends entirely on the security of the passphrase itself.
If the enemy could obtain or guess someone's passphrase, he would be able to determine the private key PR using known key generation algorithms and passphrases. There are two basic categories of strategies that must be used to protect the confidentiality of a user's passphrase. That is: -Measures to prevent the selected passphrase from being disclosed to unauthorized parties, and-Measures to prevent the unauthorized party from simply estimating the selected passphrase.

The first category of policies is generally implemented by providing the user with a set of principles and guidelines. For example, passphrases should be remembered and not written down. If you write down your passphrase, you must do it in a controlled environment to avoid accidental disclosure. In addition, the copy you make a note of must be stored securely when not in use. Most of these rules are common sense per se and apply to many "secrets" that users deal with every day, such as handling system passwords, lock combinations, and private telephone numbers.

The measures of the second classification are often more difficult to clarify from the principle of common sense. This strategy focuses on the method the user uses to select the passphrase itself. It is clear that passphrases are easier to estimate than others. Therefore, there should be a systematic way of choosing "good" passphrases (ie, those that are not easily deduced) and avoiding "bad" passphrases (ie, those that are easily deduced).

FIG. 17 shows the passphrase selection process. The first step 300 is to prepare and publish a set of passphrase selection principles and guidelines. Passphrase selection guidelines are provided to the user to help the user select a "good" passphrase. These principles include a set of criteria that satisfy the passphrase "filter," in a written, easy-to-understand manner, as described in a later section.

Sample passphrase selection guideline: In this chapter, "because" is used to guide the user in creating an appropriate passphrase.
And a list of "bekazu". Specific examples are given to illustrate the good and bad choices. You shouldn't actually use any of the examples, as an adversary may be looking at this document.

Basically, the passphrase must be "constructed": it must not be chosen from phrases in the repertoire that the enemy might infer. Furthermore, in constructing a password, the "number" of words and the "frequency" of word usage are
Practically, make it so that the adversary cannot find the password using large-scale, directional search.

Using a "bad" password (eg your name or phone number) creates a cryptographic key that has the appearance of being randomly generated, and in this sense, against accidental intruders. Gives some protection. However, such keys do not provide true cryptographic protection.

The habits to avoid (the ciphertexts have been actually decrypted using these in the past) are as follows.

1. Do not select a passphrase from the passphrase list (eg a book) instead of configuring the passphrase yourself.

2. Do not use guessable phrases where a few words in the phrase give the remaining clues. For example: -A line from a well-known poem or lullaby-The name of a well-known person, place or thing-Do not use phrases from national, cultural, ethnic or religious herediti.

3. Do not use the same conceptual phrase as your previous passphrase. For example, if you used things about your grandfather last time, don't use things about your grandmother this time.

4. Do not use just one word as a passphrase. The average dictionary contains about 10,000 words. This variety is less than 2 to the 14th power, and can be readily determined by electronic velocity.

5. Do not use the most common English word "only". (That is, the basic word of Anglo-Saxon origin). This would reduce the size of the enemy dictionary from over 10,000 words to about 2,000 words or less.

6. Do not use the sentences found in elementary school textbooks. The effective habits are:

1. Create a new passphrase (ie it should be original) 1. The length of the passphrase depends on the letters of the alphabet (A ~
At least 40 to 50 characters excluding white space in Z). This is about 10 words, enough to prevent a thorough computer analysis.

3. Consider increasing the alphabet or dictionary required by the enemy by doing one or more of the following:

-Include special symbols (for example, depending on your keyboard, ‖ @ # $% "& * () _ +-"
=! ¢:;,. ? ″ ′ / \ | {} <>) ・ Introduce numbers in sentences.

• Deliberately misspelling a word.
(Example: happen 3 stance) ・ Use a foreign language. Adding to the set of input symbols, each symbol in the passphrase will have many more possible alphanumeric symbols instead of 26 possible characters. Of course, the fact that the passphrase becomes difficult to remember can hinder this practice.

4. It does not matter if the passphrase contains a unique name.

5. Try to remember your passphrase so you don't have to write it down. Conversely, the phrase should not be able to be inferred by anyone else, and consider including inside information that only you know.

Passphrase Example: Bad Passphrase Example: "Antidisestablismentarianism" -a single dictionary word "Dick and Jane see Spot run. Jump Spot jump.
-A textbook for the first grade of elementary school- "A bee bit me."-Too short- "George Washington Carrer" -Celebrity- "Mary had a little l amb, ifs fleece was whit"
e as snow. "-Famous poem-" Thon shalt have no other gods before Me. "-
Religious heritage- "Four score and sever years ago ..."-National tradition Examples of good passphrases:-"I have never lived in Chicago at 278 Lake Sh.
ore. "・「 Why do you believe that fishies dan't float
in the sky? "・" Did George Washington read Pascal or talk to
an ambass dor? '' ・ 「My favorite color is green or am I lieing &
it's Moorish Mist. "・" Counting "won, too, tree" is childish (but so
what)! 」・「 Cannot I dance on my head? I dunno, perhaps
I shall. ”Passphrase Filter: Referring again to FIG. 17, once the user selects a passphrase in step 301, evaluate the user's selection against a selection guideline issued to determine the quality of the selection. Is beneficial. This evaluation process may, of course, include guidelines and additional criteria beyond those published in Principle 300. Although it may be difficult to state the additional criteria in principle, it is nevertheless important in determining the quality of the chosen passphrase. Enter the trial passphrase as a comprehensive evaluation criteria 301,
Test trial passphrase 302 and accept or reject trial passphrase based on the result of test 302 3
It can also be automated, such as 03. 303
When entrusted with, it in turn triggers the enablement of the next key generation process. When rejected, it triggers an error message and prompts the user to choose another phrase. Passphrase test 302 may be performed in the form of a passphrase filter.

The passphrase filter is a routine for rejecting "bad" user configured passphrases, that is, passphrases that an adversary may be able to find through a thorough pointing search. When a possible passphrase is generated, the passphrase filter is invoked and the passphrase is provided as a parameter input. With a standard English dictionary containing the most frequently used 10,000 words,
The passphrase filter calculates a lower bound on the number of passphrases an adversary computer program normally must enumerate before recreating the user's passphrase. This information is reported to the caller, who may choose to waiver, modify, or accept the passphrase.

The passphrase filter does not automatically guarantee that the passphrase is "good", but it can eliminate most "bad" passphrases. Using a passphrase filter with the principles provided for passphrase construction in this sense minimizes the chance of inadvertent use of a "bad" passphrase, thus improving overall security.

The passphrase filter is conceptually similar to the password filter and is a routine that rejects "bad" user-set passphrases or passphrases that an adversary may be able to find by a thorough directional search.

An example involving a passphrase illustrates the importance of this checking procedure. User-selected passwords, such as user-selected passphrases, provide a more user-friendly interface to access control. However, it is well known that humans tend to "take the easy path". Examining the 6-digit passwords chosen by 1000 people, it is certain that their distribution is not uniform. 6
You will find that there are disproportionately high numbers of passwords consisting of repeated numbers (000000, 111111, etc.), sequential numbers (123456, 234567, etc.) or numbers in a clear pattern. Knowing this, the adversary can organize a thorough directed search to find the most likely candidate first. In many cases, it takes only a few attempts to find a password. As a countermeasure,
The potential risks involved in password selection must be communicated to the user, and the introduction of computer systems must provide the user with a set of simple principles to be followed in password selection. Many computer systems can also provide password checking algorithms to test and reject weak passwords.

A similar, but more complex set of principles must be observed in passphrase construction. In many cases, the principle is not intuitive, so the passphrase filter implemented in the system is even more important. The passphrase filter consists of a set of simple fast tests applied to the trial passphrase. Each test evaluates passphrase variability. After running all tests, report the minimum value to the user.

FIG. 18 shows a cryptographic system which has a cryptographic mechanism capable of executing the cryptographic instruction set 2 and includes a key storage device 3, a cryptographic mechanism access program 4, and a user application program 5. The encryption mechanism access program 4 includes a passphrase filter utility program 6 and is a CFA called a check passphrase 7.
Accessed through P service. The following steps are included to check the trial passphrase. The application 5 calls the check passphrase service 7. Check the trial passphrase and return the passphrase variability estimate to the caller. The caller must set the minimum variability for the trust. For example, D
For EA key generation, the variability should be a minimum of 2 56.

FIG. 19 is a flow chart of the processing steps of the passphrase filter routine. The passphrase filter does the following checks:

1. Pattern analysis-is the symbol or sequence of symbols repeated? 2. Character Frequency Analysis-How often do individual letters, double letters, triple letters, etc. appear in a typical language, and what if you limit yourself to the proposed passphrase? 3. Word Frequency Analysis-How often does a particular word appear? The estimated variability of the passphrase reported to the user by the passphrase filter is the minimum variability obtained from each of the above analyses. The method of performing these analyzes is described below.

Pattern analysis: A standard statistical analysis of the trial passphrase reveals the following:

1. All alphabets used in passphrases 2. Repeating letters or groups of letters This data facilitates the calculation of statistical variability.
For example, assume that the "effective alphabet" consists only of the symbols that appear in the passphrase, and define the "effective length" of the passphrase as the length of the passphrase excluding all repetitions. Then a passphrase like "IIIIII" would be classified as "bad".

There is also a natural order of numbers and letters. Using this natural order, the passphrase could be guessed by the enemy. One way to detect numbers or alphabetical order is to assign a rank number to each number and letter and use a finite difference calculation method. This method is used to calculate the degree of a polynomial through a finite number of specified points. This method is shown below.

1. Rank numbers 1 to 10 are assigned to the numbers 0 to 9 and rank numbers 11 to 36 are assigned to the letters "A" to "Z".
Assign

2. Generate a list of rank numbers for a passphrase.

3. Starting from the left edge, subtract the immediate right element from each element to compute the first order difference. The last number in the list has no difference for it to be calculated.

4. Do the same for the number of primary differences to calculate the secondary differences.

For example, assuming the passphrase as follows, passphrase: 1 2 3 4 5 Rank number: 02 03 04 05 06 06 Primary difference: 01 01 01 01 01 Secondary difference: 00 00 00 00 In the list of primary differences When the input is zero, it means that the adjacent rank numbers are the same. When the input is zero in the secondary difference list, it means that the primary difference is the same, that is, the rank number has changed by a constant number, and one piece of the passphrase becomes an order such as "246" or "ABC". Means that In the variability calculation, the effective length of the passphrase is subtracted by the number of zeroes in the primary and secondary difference lists. (Because such zeros indicate a repeating or simple pattern).

This rank number analysis can also be done in numerical and letter order on a "qwerty" (or other) keyboard.

Character Frequency Analysis: The next character list is Gaimes
It is taken from (Reference 2).

A frequency-ordered list of characters in English is ETAONISRHLDCUPFMWYBGVKQXJ
Z.

If special symbols are included, then the most common symbols (even more than "E") are blanks or spaces. The frequency-ordered list of double letters in English is TH HE AN IN ER RE ES ON E
A TI AT STEN ND OR TO NT
ED IS AR ... The triplet frequency order list in English is THE AND THA ENT ION TIO F
OR NDE HASNCE EDT TIS OFT
STH MEN ... 1. Each letter is grouped into frequency groups and each group is given an estimate of variability. For simplicity, we define a group so that the group variability should be an integer power of two.

A. 2 to the power of 0 (2 ^** 0) E b. 2 to the power of 1 (2 ^** 1) T c. 2 squared (2 ^** 2) AO d. 2 to the power of 3 (2 ^** 3) NISR e. 2 to the power of 4 (2 ^** 4) HLDCUPM f. 2 to the 5th power (2 ^** 5) WYBGVKQXJZ g. A value of 2 to the 5th power is added to special symbols other than blank.

2. Check for repeating patterns of characters in the passphrase and remove repeating patterns from the passphrase to be analyzed.

3. Remove all blanks from the passphrase you are trying to analyze.

4. Sum the exponents of 2 corresponding to each letter (after stripping the pattern). The sum is the variability of this test.

5. Do the same for double and triple letters.

Word Frequency Analysis: Below is John B. Carroll
"The American Heritage Word Frequency Book" (1
971). Most common english 100
The frequency ordered list of words is:

THE OF AND A TO IN IS YOU THAT IT HE F
OR WAS ON ARE AS WITH HIS THEYAT BE THIS FROM I HA
VE OR BY ONE HAD NOT BUT WHAT ALL WERE WHEN WE THE
RECAN AN YOUR WHICH THEIR SAID IF DO WILL EACH ABO
UT HOW UP OUT THEM EHENSHE MANY SOME SO THESE WOUL
D OTHER INFO HAS MORE HER TWO LIKE HIM SEETIME COU
LD NO MAKE THAN FIRST BEEN ITS WHO NOW PEOPLE MY M
ADE OVER DIDDOWN ONLY WAY FIND USE MAY WATER LONG
LITTLE VERY AFTER WORDS CALLEDJUST WHERE MOST KNOW The paths that an enemy computer program would have to enumerate before regenerating the user's passphrase, using the standard English vocabulary containing the 10,000 most frequently used words. A utility program calculates the lower limit of the number of phrases.

1. Build the word frequency list as follows:

A. 2 to the power of 0 (2 ^** 0) THE b. 2 to the power of 1 (2 ^** 1) OF c. 2 squared (2 ^** 2) AND A d. 2 to the third power (2 ^** 3) TO IN IS YO
U e. 2 to the fourth power (2 ^** 4) THAT IT HE
FOR WAS ONARE AS f. Etc. Build this list for a word frequency list to the desired length. If a word does not appear in the list, it is assumed to have the same frequency as the least frequent word in the list.

2. Check for repeating words and remove them from the passphrase to be analyzed.

3. Sum the exponents of 2 corresponding to each word in the passphrase. The sum is the variability of this test.

While particular embodiments of the present invention have been disclosed, it will be apparent to those skilled in the art that modifications can be made to the particular embodiments without departing from the spirit and purpose of the invention.

The method of managing a public key cryptosystem of the present invention uses a first seed value known to a user to generate a first public key, a private key pair, and a first public key, Generating a first control vector defining a first use of the private key pair, generating a second public key, a private key pair, using a second seed value known to the user, and Second public key, second private key pair
Generating a second control vector defining the use of the first public key, a control vector using the first control vector to control the use of the first public key, private key pair;
Control vector of the second public key, the use of the private key pair with the control vector of.

Here, the first seed value may be generated from the passphrase, and the second seed value may be a true random number. Further, the method may include a step of generating a first random number using the first seed value and applying the first random number to the first generating step. Further, the pseudo random number generator may generate the second random number by using the second seed value, and the second random number may be applied to the second generating step.

Further, the first control vector has two components, the first control vector for controlling the use of the first public key.
Public key control vector and a first private key control vector for controlling the use of the first private key.

Alternatively, the second control vector has two components, a second public key control vector for controlling the use of the second public key and a second public key for controlling the use of the second private key. It may have a second private key control vector.

The first control vector controls the first private key to limit its use to the generation of digital signatures, and the second control vector controls the second private key to control its use. You may be restricted to generating digital signatures and decrypt the encrypted keys received as part of the key distribution protocol.

Alternatively, the first control vector limits the use of the first public key to the verification of the digital signature, and the second control vector limits the use of the second public key to the verification of the digital signature and key distribution protocol. May be restricted to the encryption of keys in.

Alternatively, the first control vector controls the generation of the digital signature by the first private key, and the second control vector prohibits the use of the second private key for the generation of the digital signature. May be.

The method for managing the public key cryptosystem including the public key and private key pair generator of the present invention is also the method of managing the first public key and private key pair using the first seed known to the user. Generate the first public key,
Generating a first control vector defining a first use of a private key pair, and generating a second public key, a private key pair, using a second seed value unknown to the user,
And a step of generating a second control vector defining a second private key pair of the second public key, private key pair, and using the first public key, private key pair using the first control vector And controlling the use of the second public key, private key pair by the second control vector.

Here, the first seed value may be generated from the passphrase, and the second seed value may be a true random number.

It may also include performing a step of generating a first random number using the first seed value and applying the first random number to the first generating step.

Alternatively, the step of generating a second random number using the second seed value in the pseudo random number generator and applying the second random number to the second generating step may be included.

The first control vector has two components, a first public key control vector for controlling the use of the first public key and a first public key control vector for controlling the use of the first private key. May have a private key control vector of

The second control vector has two components, a second public key control vector for controlling the second public key and a second public key for controlling the second private key.
May have a private key control vector of

The first control vector controls the first private key and limits its use to the generation of digital signatures,
The second control may also control the second private key, whose use limits the generation of digital signatures and the decryption of encrypted keys received as part of the key distribution protocol.

The first control vector limits the use of the first public key to the verification of the digital signature, and the second control vector limits the use of the second public key to the generation of the digital signature and the key distribution in the key distribution protocol. Encryption may be restricted.

Even if the first control vector controls the generation of the digital signature with the first private key, and the second control vector prohibits the use of the second private key from generating the digital signature. Good.

An apparatus for managing a public key cryptosystem including a public key / private key pair generator of the present invention generates a first public key / private key pair using a first seed value known to a user. , Also a first public key, a first to generate a first control vector defining a first use of the private key pair,
A second public key and a private key pair are generated using a generating means and a second seed value unknown to the user, and a second control vector defining a second use of the second public key and the private key pair is generated. Second generating means for controlling the use of the first public key and private key pair using the first control vector, and the second public vector by the second control vector. A key, a control means coupled to the second generating means for controlling the use of the private key pair.

Here, the first seed value may be generated from the passphrase, and the second seed value may be a true random number.

The first generating means may generate the first random number using the first seed value, and may apply the first random number to generate the first public key / private key pair.

The second generating means may generate the second random number by using the second seed value in the pseudo random number generator, and may apply the second random number to generate the second public key / private key pair.

The first control vector has two components, the first public key control vector for controlling the use of the first public key and the first public key for controlling the use of the first private key.
It may have a private key control vector.

The second control vector has two components, a second public key control vector for controlling the use of the second public key and a second private key control vector for controlling the second private key. You may have.

The first control vector controls the first private key to limit the use of the first private key to the generation of the digital signature, and the second control vector controls the use of the second private key of the digital signature. The second private key may be controlled to limit generation and decryption of encrypted keys received as part of the key distribution protocol.

The first control vector limits the use of the first public key to the verification of the digital signature, and the second control vector limits the use of the second public key to the verification of the digital signature and the encryption of the key in the key distribution protocol. You may limit it.

The first control vector may control the generation of the digital signature with the first private key, and the second control vector may have the use of the second private key inhibit the generation of the digital signature.

[Brief description of drawings]

FIG. 1 is a block diagram illustrating generation of a public key and a private key pair from a passphrase in a cryptographic system A shared by users i and j.

FIG. 2 is a block diagram illustrating generation of a public key and a private key pair from passphrases by cryptographic systems A and B by a user i.

FIG. 3 is an illustration of a communications network 10 that includes multiple data processing devices, each including a cryptographic system.

FIG. 4 is a block diagram showing the configuration of a cryptographic system 22.

FIG. 5 is a block diagram showing a configuration of an encryption mechanism 30.

FIG. 6 is a block diagram of components of a cryptographic algorithm 144 of the encryption mechanism 30.

FIG. 7 is a block diagram of the components of a key generation algorithm 151 of the encryption mechanism 30 illustrating the steps involved in RSA key generation.

FIG. 8 is a block diagram illustrating a “true” random number generator 180.

FIG. 9 is a block diagram illustrating an initially seeded pseudo random number generator 190.

FIG. 10 is a block diagram illustrating a dynamically seeded pseudo random number generator 200.

FIG. 11 is a block diagram of cryptographic algorithm 144 components of cryptographic mechanism 30 modified to include a dynamically seeded pseudo-random number generator 200 in accordance with the present invention.

FIG. 12 is a block diagram illustrating a specific example of a dynamically seeded pseudo random number generator.

FIG. 13 is a block diagram showing the steps involved in generating a public key and private key pair from an input passphrase according to the present invention.

FIG. 14 is a block diagram illustrating a public key and private key pair generation (GPUPR) instruction according to the present invention.

FIG. 15 is a block diagram illustrating PU key and PR key tokens.

FIG. 16 is a block diagram illustrating a control vector portion of PU and PR key tokens.

FIG. 17 is a block diagram illustrating a passphrase selection process.

FIG. 18 is a block diagram illustrating a cryptographic system that uses a passphrase filter for a trial passphrase test provided by a user application.

FIG. 19 is a block diagram illustrating functional elements of a passphrase filter.

[Explanation of symbols]

 1, 30 Cryptographic mechanism (CF) 2 Cryptographic instruction set 3 Key storage device 4 Cryptographic mechanism access program 5 User application program 6 Passphrase filter utility program 7 Check passphrase service 10 Communication network 20 Data processing device 22 Cryptographic system 32 Cryptography Key data set (CKDS) 34 Cryptographic mechanism access program (CFAP) 36 Application program (APPL) 42 Application program A (APPL A) 43, 44, 45 46 Key storage manager 47 Key generation function 48 Key purge function 52 GPUPR instruction 140 Security range 142 Instruction processing device 144,150 Cryptographic algorithm 146 Cryptographic mechanism environment storage device 151 Key generation algorithm ( GA) 152 random number generation algorithm 180 "true" random number generator 181 pseudo-random number generator 191 and 201 the algorithm 194 seed memory 200 pseudo random number generator which is dynamically seed is hardware circuit 190 seeds initially

[Procedure amendment]

[Submission date] November 16, 1992

[Procedure Amendment 1]

[Document name to be amended] Statement

[Name of item to be amended] Claims

[Correction method] Change

[Correction content]

[Claims]

 ─────────────────────────────────────────────────── ─── Continuation of the front page (72) Inventor Donald, B, Johnson United States Virginia, Manassas, Crystal, Creek, Lane, 11635 (72) Inventor Anne, Buoy, Re United States Virginia, Manassas, Battlefield, Drive, 10227 (72) Inventor William, Sea, Martin North Carolina, USA, Concord, Hilliard, Lane, 1835 (72) Inventor Lostislaw, Primac, Virginia, Dumfries, Fairway, Drive, 15900 (72) Inventor John, Dee, Wilkins Summerville, Pea, Oh, Box, 8 Virginia, USA

Claims (15)

[Claims] 1. A public key in a data processing system,
A method of managing a public key cryptosystem including a private key pair generator, the method comprising: generating a first public key, a private key pair using a first seed value known to a user; Generating a first control vector that defines a first use of the public key, private key pair of, and a second public key, private key pair using a second seed value known to the user. Generating and also generating a second control vector defining a second use of said second public key, a private key pair, said first public key using said first control vector,
Controlling the use of a private key pair, the second public key using the second control vector,
Controlling the use of the private key pair. 2. A public key in a data processing system,
A method of managing a public key cryptosystem including a private key pair generator, the method comprising: generating a first random number using a first seed value derived from a passphrase; Generating a second random number using a seed value of 2; generating a first public key, a private key pair using the first random number; and generating the first public key and the first public key. Generating a first public key control vector and a first private key control vector, respectively, to define a first use of the private key; and using the second random number to generate a second public key. , A second public key control vector and a second private key control, respectively, for generating a private key pair and defining a second use of the second public key and the second private key, respectively. Step to generate vector Controlling the use of the first public key and the first private key using the first public key control vector and the first private key control vector, respectively. Controlling the use of said second public key and said second private key with two public key control vectors and said second private key control vector, respectively. . 3. A method of managing a cryptographic system having a key generator in a data processing system, the method comprising: generating a first random number using a first seed value derived from a passphrase; Generating a second random number using a second seed value unknown to the user, and generating a first key using the first random number, and controlling the use of the first key. Generating a first control vector, generating a second key using the second random number, and generating a second control vector for controlling a second private use of the second key. Generating, controlling the use of the first key by the first control vector, controlling the use of the second key by the second control vector, the first key The first use of And a step different from the second use of the second key. 4. A public key in a data processing system,
A method for managing a public key cryptosystem including a private key pair generator, the method comprising: generating a random number using a first seed value derived from a passphrase; Generating a private key pair, the first control vector controlling the use of the public key, the second control vector controlling the use of the private key, and The first
Generating a second control vector for the private key and a second control vector for the private key. 5. A data processing system, a public key,
A method for managing a public key cryptosystem including a private key pair, the method comprising: generating a random number using a seed value derived from a passphrase; generating a public key and a private key pair using the random number. And a step of performing. 6. A public key in a data processing system,
A method for managing a public key cryptosystem including a private key pair generator, the method comprising: generating a first public key, a private key pair using a first seed known to a user; Official key of the
Generating a first control vector defining a first use of a private key pair, generating a second public key, a private key pair using a second seed value unknown to the user, and 2 official keys,
Generating a second control vector defining a second use of a private key pair, the first public key using the first control vector,
A method, comprising: controlling the use of a private key pair; and controlling the use of the second public key, a private key pair with the second control vector. 7. A public key in a data processing system,
A method for managing a public key cryptosystem including a private key pair generator, the method comprising: generating a first random number using a first seed value derived from a passphrase; Generating a second random number using a second seed value, generating a first public key, a private key pair using the first random number, and generating the first public key and the first public key. Generating a first public control key vector and a second private key control vector for respectively defining a first use of the private key of the second public key using the second random number. , A second public key control vector and a second private key control for generating a private key pair and defining a second use of the second public key and the second private key, respectively. Vector generating step And using the first public key control vector and the first private key control vector to control the first use of the first public key and the first private key, respectively. And using the second public key control vector and the second private key control vector to control the use of the second public key and the second private key, respectively. A method of including. 8. A method for managing a cryptographic system having a key generator in a data processing system, the method comprising: generating a first random number using a first seed value derived from a passphrase. Generating a second random number using a second seed value unknown to the user; generating a first key using the first random number; and controlling the use of the first key A second control for generating a second key using the second random number and controlling a second use of the second key. Generating a vector; controlling the use of the first key by the first control vector; controlling the use of the second key by the second control vector; The first of the keys The use of the second key is different from the second use of the second key. 9. A data processing system, a public key,
A method for managing a public key cryptosystem including a private key pair, the method comprising: generating a random number using a first seed value derived from a passphrase; Generating a key pair and generating a first control vector for the public key and a second control vector for the private key, the first control vector controlling the use of the public key, A control vector controlling the use of the private key. 10. A method for managing a public key cryptosystem including a public key and a private key pair generator in a data processing system, the method comprising generating a random number using a seed value derived from a passphrase. And a step of generating a public key / private key pair using the random number. 11. A device for managing a public key cryptosystem including a public key and a private key pair generator in a data processing system, the first public key using a first seed value known to a user,
First generating means for generating a private key pair and also for generating a first control vector defining a first use of said first public key, private key pair; and a second seed value using a second seed value unknown to the user. Second public key and a private key pair, and second generating means for generating a second control vector defining a second use of the second public key and private key pair; and using the first control vector, Control means coupled to the first generating means for controlling the use of the first public key, private key pair; and controlling the use of the second public key, private key pair by the second control vector. Apparatus for controlling the second generation means, the control means being coupled to the second generation means. 12. A device for managing a public key cryptosystem, including a public key and a private key pair generator, in a data processing system, the device using a first seed value derived from a passphrase.
A first generating unit for generating a random number; a second generating unit for generating a second random number using a second seed value unknown to the user; a first public key using the first random number; A first public key control vector for generating a private key pair and a first public key control vector and a first private key control vector for defining a first use of the first public key and the first private key, respectively; A second public key for generating a second public key and a private key pair using the second random number, and defining a second use of the second public key and the second private key, respectively. The second public key control vector and the first private key control vector are respectively used to generate a control vector and a second private key control vector, and the first public key control vector and the first private key control vector. Private key The first for controlling the use of
Control means coupled to the generation means, and for controlling the use of the second public key and the second private key by using the second public key control vector and the second private key control vector, respectively. , The second
A control means coupled to the generating means. 13. A device for managing a cryptographic system having a key generator in a data processing system, the first seed value being derived from a passphrase.
First generating means for generating a random number, second generating means for generating a second random number using a second seed value unknown to the user, and generating a first key using the first random number And also the first
Said first generating means for generating a first control vector for controlling the use of a key; generating a second key using said second random number;
Coupled to said second generating means for generating a second control vector for controlling the second use of a key, and to said first generating means for controlling the use of said first key with said first control vector Control means coupled to the second generating means for controlling the use of the second key with the second control vector, the first use of the first key being the second The second of the key
A device characterized in that it includes different from use. 14. A device for managing a public key cryptosystem including a public key and a private key pair generator in a data processing system, wherein a random number is generated by using a first seed value derived from a passphrase. Generating means for generating a public key and a private key pair using the random number, and generating a first control vector for the public key and a second control vector for the private key, wherein the first control vector is An apparatus for controlling the use of a public key, said second control vector comprising said generating means for controlling the use of said private key. 15. An apparatus for managing a public key cryptosystem including a public key and a private key pair generator in a data processing system, wherein the seed value derived from a passphrase is used to generate a random number. An apparatus comprising: a means for generating a public key and a private key pair using the random number.